[go: up one dir, main page]

WO2013086758A1 - Ethernet encryption and authentication system and method - Google Patents

Ethernet encryption and authentication system and method Download PDF

Info

Publication number
WO2013086758A1
WO2013086758A1 PCT/CN2011/084741 CN2011084741W WO2013086758A1 WO 2013086758 A1 WO2013086758 A1 WO 2013086758A1 CN 2011084741 W CN2011084741 W CN 2011084741W WO 2013086758 A1 WO2013086758 A1 WO 2013086758A1
Authority
WO
WIPO (PCT)
Prior art keywords
network card
encryption
host
serial number
sha
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2011/084741
Other languages
French (fr)
Chinese (zh)
Inventor
李德强
时培昕
王博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Opzoon Technology Co Ltd
Original Assignee
Opzoon Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Opzoon Technology Co Ltd filed Critical Opzoon Technology Co Ltd
Publication of WO2013086758A1 publication Critical patent/WO2013086758A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC

Definitions

  • the present invention relates to the field of Ethernet encryption authentication technologies, and in particular, to an Ethernet encryption authentication system and an encryption authentication method.
  • Ethernet encryption technology is mainly used to prevent illegal computers from accessing the organization's internal LAN to steal confidential information. This technology can also prevent the interconnection of office computers and other illegal computers in the organization to create confidential data.
  • Key devices in Ethernet encryption technology include Ethernet encryption switches and Ethernet encryption network cards. The prior art typically encrypts and decrypts Ethernet data at an encryption switch and an encrypted network card by hardware or software.
  • the network control chip is an intel 82574 chip, and may also be other network control chips that meet functional requirements.
  • the encryption switch compares the authentication message authentication code generated by the encryption switch with the message authentication code sent by the host. If the two are consistent, the network exchange service is provided for the host. Otherwise, the port connected to the host is closed.
  • FIG. 5 is a flowchart of a method for encrypting and decrypting a data packet according to an embodiment of the present invention.
  • a method for performing mutual authentication between an encrypted network card driver and an encrypted network card by using the foregoing system includes the following steps:
  • A2 Insert a USB KEY including a SHA-1 Coprocessor in the PCI slot or USB interface of the host;
  • the USB KEY generates a verification message authentication code according to the key, the random number and the serial number of the encrypted network card, and is read back by the encrypted network card driver;
  • the encrypted network card driver compares the message authentication code with the verification message authentication code, and if the two are consistent, the network connection is continued to be used; otherwise, the network connection is stopped.
  • the above method further comprises: using a CPLD maintenance timer to supervise the step of authenticating the encrypted network card by the encrypted network card driver timing. If the timer expires and the host software is illegal or does not function properly, the CPLD will disconnect the network connection of the network card. This is actually the authentication process for the host software.
  • the CPLD on the encrypted network card converts the message authentication code into a control word, and the encrypted network card uses the control word to encrypt and decrypt the data message;

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Power Engineering (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Small-Scale Networks (AREA)

Abstract

An Ethernet encryption and authentication system and method. The system comprises an encryption switch and an encryption network card installed in a client host. The encryption network card comprises: an EEPROM memory with SHA-1, used for storing a serial number and a key of the encryption network card and generating a message authentication code according to the serial number, the key, and user-defined data; a CPLD, used for generating a random number and further generating a control word for encrypting an important data packet; and a network control chip, respectively connected to the EEPROM memory with SHA-1 and the CPLD, and used for controlling an Ethernet interface. The encryption switch comprises: an SHA-1 coprocessor, used for storing a serial number and a key of the encryption switch, generating a random number, and further generating a message authentication code according to the serial number, the key, and the random number. The present invention can ensure the real-time availability of the encrypted network, has high security, is difficult to be cracked or monitored, and reduces the Ethernet encryption and authentication costs.

Description

以太网加密认证系统及加密认证方法  Ethernet encryption authentication system and encryption authentication method

技术领域 Technical field

本发明涉及以太网加密认证技术领域,尤其涉及一种以太网加密认证系统及加密认证方法。The present invention relates to the field of Ethernet encryption authentication technologies, and in particular, to an Ethernet encryption authentication system and an encryption authentication method.

背景技术Background technique

以太网加密技术主要是用于防止不合法的电脑接入组织的内部局域网盗取机密信息的行为,这种技术也可以防止组织内的办公电脑与其它非法电脑互连造成对机密数据的拷贝。以太网加密技术中的关键设备包括以太网加密交换机和以太网加密网卡。现有技术通常通过硬件或软件的方法在加密交换机和加密网卡处对以太网数据进行加解密。Ethernet encryption technology is mainly used to prevent illegal computers from accessing the organization's internal LAN to steal confidential information. This technology can also prevent the interconnection of office computers and other illegal computers in the organization to create confidential data. Key devices in Ethernet encryption technology include Ethernet encryption switches and Ethernet encryption network cards. The prior art typically encrypts and decrypts Ethernet data at an encryption switch and an encrypted network card by hardware or software.

硬件加密技术主要通过在加密网卡一侧的网络控制器(MAC)芯片和PHY芯片之间加入FPGA器件,对MII/GMII接口上的数据进行加解密,在加密交换机一侧的交换芯片(MAC)和PHY之间也插入FPGA器件,对MII/GMII接口上的数据进行反向的加解密操作。该类技术需大规模在MAC和PHY之间插入FPGA器件,成本较高,且认证次数有限,不能进行实时认证,因此安全性差,此外,加密算法在FPGA内部实现相对固定,一旦被破解,会使其他设备也受到攻击。The hardware encryption technology mainly encrypts and decrypts the data on the MII/GMII interface by adding an FPGA device between the network controller (MAC) chip and the PHY chip on the side of the encryption network card, and the switching chip (MAC) on the side of the encryption switch. The FPGA device is also inserted between the PHY and the PHY to perform reverse encryption and decryption operations on the data on the MII/GMII interface. This type of technology requires large-scale insertion of FPGA devices between the MAC and the PHY. The cost is high, and the number of authentications is limited. Real-time authentication is not possible, so the security is poor. In addition, the encryption algorithm is relatively fixed inside the FPGA. Once it is cracked, it will be Make other devices vulnerable as well.

软件加密技术是在加密网卡侧和加密交换机侧利用处理器的处理能力对以太网的报文或其上层报文进行加解密操作。该类技术容易被恶意人员进行反汇编、跟踪和破译,安全性差,且其加密算法固定,容易通过监听加以破解;此外,软件的加解密操作需耗费大量的CPU处理能力,会降低网络的吞吐性能和设备的处理能力。The software encryption technology uses the processing capability of the processor to encrypt and decrypt Ethernet packets or their upper-layer messages on the encrypted network card side and the encryption switch side. This kind of technology is easy to be disassembled, tracked and deciphered by malicious people, and the security is poor, and its encryption algorithm is fixed, which is easy to crack through interception; in addition, the encryption and decryption operation of the software requires a lot of CPU processing power, which will reduce the throughput of the network. Performance and processing power of the device.

发明内容Summary of the invention

本发明要解决的技术问题是:如何确保加密网络的实时可用性,如何提高系统的安全性能、使不易被破解或监听,以及如何降低以太网加密认证的成本。The technical problem to be solved by the present invention is how to ensure the real-time availability of the encrypted network, how to improve the security performance of the system, make it difficult to be cracked or monitored, and how to reduce the cost of Ethernet encryption authentication.

为解决上述问题,本发明提供了一种以太网加密认证系统,包括加密交换机以及安装于客户端主机的加密网卡;所述加密网卡包括:To solve the above problem, the present invention provides an Ethernet encryption authentication system, including an encryption switch and an encryption network card installed on a client host; the encryption network card includes:

带有SHA-1的EEPROM存储器,用于存储加密网卡的序列号、密钥,并根据所述序列号、密钥和用户自定义数据生成消息认证码;An EEPROM memory with SHA-1, configured to store a serial number and a key of the encrypted network card, and generate a message authentication code according to the serial number, the key, and the user-defined data;

CPLD,用于生成随机数、并产生用来加密重要数据包的控制字;a CPLD for generating a random number and generating a control word for encrypting important data packets;

网络控制芯片,与所述带有SHA-1的EEPROM存储器和CPLD分别连接,用于控制以太网接口;a network control chip respectively connected to the EEPROM memory with SHA-1 and a CPLD for controlling an Ethernet interface;

所述加密交换机包括:SHA-1协处理器,用于存储加密交换机的序列号、密钥,生成随机数,并根据所述序列号、密钥和所述随机数生成消息认证码。The encryption switch includes: a SHA-1 coprocessor for storing a serial number and a key of the encryption switch, generating a random number, and generating a message authentication code according to the sequence number, the key, and the random number.

优选地,所述网络控制芯片设有扩展的IIC接口、GPIO和PCIe接口。Preferably, the network control chip is provided with an extended IIC interface, a GPIO and a PCIe interface.

优选地,所述网络控制芯片为intel 82574芯片,也可以是其它满足功能需要的网络控制芯片。Preferably, the network control chip is an intel 82574 chip, and may also be other network control chips that meet functional requirements.

本发明还提供了一种利用前述系统进行加密交换机对主机的认证的方法,包括以下步骤:The present invention also provides a method for performing authentication of a host by an encryption switch by using the foregoing system, including the following steps:

A:当加密交换机发现有新的主机与其网络接口相连时,发送自定义报文给主机,请求其提供加密网卡的序列号;A: When the encryption switch discovers that a new host is connected to its network interface, it sends a custom message to the host, requesting it to provide the serial number of the encrypted network card;

B:主机通过网卡控制芯片与加密网卡上的带有SHA-1的EEPROM存储器通信,读取加密网卡的序列号发送给加密交换机;B: The host communicates with the EEPROM memory with SHA-1 on the encrypted network card through the network card control chip, and reads the serial number of the encrypted network card and sends it to the encryption switch;

C:加密交换机上的SHA-1协处理器生成随机数和质询报文发送给主机,并根据所述随机数、加密网卡的序列号和密钥生成验证消息认证码;C: The SHA-1 coprocessor on the encryption switch generates a random number and a challenge message and sends the message to the host, and generates a verification message authentication code according to the random number, the serial number of the encrypted network card, and the key;

D:主机收到质询报文后将其发送给加密网卡上的带有SHA-1的EEPROM存储器;D: After receiving the challenge message, the host sends it to the EEPROM memory with SHA-1 on the encrypted network card.

E:带有SHA-1的EEPROM存储器根据收到的随机数、加密网卡的序列号和密钥生成消息认证码;E: The EEPROM memory with SHA-1 generates a message authentication code according to the received random number, the serial number of the encrypted network card, and the key;

F:主机将加密网卡生成的消息认证码封装到响应报文中发送给加密交换机;F: The host encapsulates the message authentication code generated by the encrypted network card into a response message and sends the message to the encryption switch.

G:加密交换机将其生成的验证消息认证码与主机发送的消息认证码相比较,若二者一致,则为主机提供网络交换服务,否则将与主机相连的端口关闭。G: The encryption switch compares the authentication message authentication code generated by the encryption switch with the message authentication code sent by the host. If the two are consistent, the network exchange service is provided for the host. Otherwise, the port connected to the host is closed.

即使对于通过认证的主机,加密交换机也可以每隔一段时间(如几分钟)对其发起认证过程,若通过,继续为其提供服务,否则将其与网络中的其他部分隔离。Even for authenticated hosts, the cryptographic switch can initiate an authentication process for it at regular intervals (such as a few minutes), and if it does, continue to provide services to it, otherwise it is isolated from the rest of the network.

本发明还提供了一种利用前述系统进行主机对加密交换机的认证的方法,包括以下步骤:The present invention also provides a method for performing host-to-encryption switch authentication by using the foregoing system, comprising the following steps:

A1:主机检测到其与加密交换机建立连接后发送报文请求加密交换机提供网卡序列号,加密交换机与SHA-1协处理器通信,读取所述网卡序列号并发送给所述主机;A1: The host detects that it establishes a connection with the encryption switch, sends a message requesting the encryption switch to provide the network card serial number, the encryption switch communicates with the SHA-1 coprocessor, reads the network card serial number and sends the network card serial number to the host;

B1:CPLD生成随机数、带有SHA-1的EEPROM存储器读出网卡序列号,并将随机数和网卡序列号封装到质询报文发送给加密交换机;B1: The CPLD generates a random number, and the EEPROM memory with SHA-1 reads the serial number of the network card, and encapsulates the random number and the serial number of the network card into the challenge message and sends it to the encryption switch;

C1:主机将CPLD生成的随机数发送给带有SHA-1的EEPROM存储器,带有SHA-1的EEPROM存储器根据随机数、网卡序列号和密钥计算出验证消息认证码;C1: The host sends the random number generated by the CPLD to the EEPROM memory with SHA-1, and the EEPROM memory with SHA-1 calculates the verification message authentication code according to the random number, the network card serial number and the key;

D1:加密交换机将其接收的质询报文中的网卡序列号和随机数发送给SHA-1协处理器,SHA-1协处理器根据随机数、网卡序列号和密钥,计算出消息认证码;D1: The encryption switch sends the network card serial number and the random number in the challenge message received by the switch to the SHA-1 coprocessor, and the SHA-1 coprocessor calculates the message authentication code according to the random number, the network card serial number and the key. ;

E1:加密交换机将计算出的消息认证码封装到响应报文中发送给主机;E1: The encryption switch encapsulates the calculated message authentication code into the response message and sends the message to the host.

F1:主机将其接收的消息认证码以及所述验证消息认证码发送给CPLD进行比较,若二者一致,则使用加密交换机提供网络交换服务,否则CPLD将关闭本网卡的网络连接。F1: The host sends the received message authentication code and the verification message authentication code to the CPLD for comparison. If the two are consistent, the encryption switch is used to provide the network switching service. Otherwise, the CPLD will close the network connection of the network card.

本发明还提供了一种利用前述系统进行加密网卡驱动器(驱动器可以有多种实现方式,包括驱动程序等)与加密网卡之间的相互认证的方法,包括以下步骤:The present invention also provides a method for performing mutual authentication between an encrypted network card driver (a driver can have various implementations, including a driver, etc.) and an encrypted network card by using the foregoing system, including the following steps:

A2:在主机的PCI插槽或USB接口插入包括SHA-1 Coprocessor的USB KEY;A2: Insert a USB KEY including a SHA-1 Coprocessor in the PCI slot or USB interface of the host;

B2:加密网卡驱动器向加密网卡发出读取其序列号的请求,并读取序列号发送给USB KEY;B2: the encrypted network card driver sends a request to read the serial number to the encrypted network card, and reads the serial number and sends it to the USB KEY;

C2:加密网卡驱动器请求USB KEY 产生随机数,并读取该随机数发送给加密网卡;C2: the encrypted network card driver requests the USB KEY to generate a random number, and reads the random number to send to the encrypted network card;

D2:带有SHA-1的EEPROM存储器根据密钥、所述随机数和加密网卡的序列号生成消息认证码并被加密网卡驱动器读回;D2: The EEPROM memory with SHA-1 generates a message authentication code according to the key, the random number and the serial number of the encrypted network card, and is read back by the encrypted network card driver;

E2: USB KEY 根据密钥、随机数和加密网卡的序列号生成验证消息认证码并被加密网卡驱动器读回;E2: USB KEY Generating a verification message authentication code according to the key, the random number, and the serial number of the encrypted network card, and reading back by the encrypted network card driver;

F2:加密网卡驱动器将所述消息认证码与所述验证消息认证码进行比较,若二者一致,则继续使用该网络连接,否则,停止使用该网络连接。F2: The encrypted network card driver compares the message authentication code with the verification message authentication code, and if the two are consistent, the network connection is continued to be used; otherwise, the network connection is stopped.

优选地,上述方法还包括:利用CPLD维护计时器监督加密网卡驱动器定时对加密网卡进行认证的步骤。如果计时器超时,证明主机软件非法或者运行不正常,CPLD自主将网卡的网络连接断开,这其实也是对于主机软件的认证过程。Preferably, the above method further comprises: using a CPLD maintenance timer to supervise the step of authenticating the encrypted network card by the encrypted network card driver timing. If the timer expires and the host software is illegal or does not function properly, the CPLD will disconnect the network connection of the network card. This is actually the authentication process for the host software.

本发明还提供了一种利用前述系统对数据报文的进行加解密的方法,包括以下步骤:The invention also provides a method for encrypting and decrypting data messages by using the foregoing system, comprising the following steps:

A3:加密交换机对主机进行认证后,加密网卡上的带有SHA-1的EEPROM存储器生成消息认证码;A3: After the encryption switch authenticates the host, the EEPROM memory with SHA-1 on the encrypted network card generates a message authentication code;

B3:加密网卡上的CPLD将该消息认证码转化为控制字,加密网卡利用该控制字对数据报文进行加解密;B3: The CPLD on the encrypted network card converts the message authentication code into a control word, and the encrypted network card uses the control word to encrypt and decrypt the data message;

C3:加密交换机使用与CPLD同样的算法产生同样的控制字对主机的数据报文进行加解密。C3: The encryption switch uses the same algorithm as the CPLD to generate the same control word to encrypt and decrypt the data packets of the host.

上述技术方案具有如下优点:本发明加强了以太网加密的认证环节,相对于传统硬件加密技术来说,大大节省了成本,且本发明认证方法可定期重复进行,确保了加密网络的实时可用性;本发明相对于传统软件加密技术更加高效,不会过多占用CPU和内存资源;本发明提供了主机对加密交换机的反向认证机制,确保每一个网络内的设备都可以对其对端设备进行验证;本发明对于加密和认证的密钥拥有充分的保护,即使网络中某一设备被监听也不会轻易破译出加密和认证的算法;本发明中每个加密以太网局域网内的设备都有全球唯一标识,再加上每次认证使用随机数参与生成消息认证码,确保了每一个主机在不同时间生成的消息认证码都不会一样,更加提高了监听和破译的难度。The foregoing technical solution has the following advantages: the invention strengthens the authentication link of the Ethernet encryption, and saves the cost compared with the traditional hardware encryption technology, and the authentication method of the invention can be repeated periodically to ensure the real-time availability of the encrypted network; The present invention is more efficient than the traditional software encryption technology, and does not occupy CPU and memory resources excessively. The present invention provides a reverse authentication mechanism for the host to the encryption switch, ensuring that devices in each network can perform operations on the peer device. Verification; the present invention has sufficient protection for the encrypted and authenticated keys, and even if a device in the network is monitored, the encryption and authentication algorithms are not easily deciphered; in the present invention, each device in the encrypted Ethernet local area network has The global unique identifier, plus the use of random numbers for each authentication to generate the message authentication code, ensures that the message authentication code generated by each host at different times will not be the same, which further improves the difficulty of monitoring and deciphering.

附图说明DRAWINGS

图1为本发明实施方式中所述以太网加密认证系统的结构示意图;1 is a schematic structural diagram of an Ethernet encryption and authentication system according to an embodiment of the present invention;

图2为本发明实施方式中所述进行加密交换机对主机的认证的方法的流程图;2 is a flowchart of a method for performing authentication of a host by an encryption switch according to an embodiment of the present invention;

图3为本发明实施方式中所述进行主机对加密交换机的认证的方法的流程图;3 is a flowchart of a method for performing host-to-encryption switch authentication according to an embodiment of the present invention;

图4为本发明实施方式中所述进行加密网卡驱动器与加密网卡之间的相互认证的方法的流程图;4 is a flowchart of a method for performing mutual authentication between an encrypted network card driver and an encrypted network card according to an embodiment of the present invention;

图5为本发明实施方式中所述对数据报文的进行加解密的方法的流程图。FIG. 5 is a flowchart of a method for encrypting and decrypting a data packet according to an embodiment of the present invention.

具体实施方式detailed description

以下实施例用于说明本发明,但不用来限制本发明的范围。The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.

如图1所示,本发明所述的一种以太网加密认证系统,包括加密交换机以及安装于客户端主机的加密网卡;所述加密网卡包括:As shown in FIG. 1 , an Ethernet encryption and authentication system according to the present invention includes an encryption switch and an encrypted network card installed on a client host; the encrypted network card includes:

带有SHA-1的EEPROM存储器,用于存储加密网卡的序列号、密钥,并根据所述序列号、密钥和用户自定义数据生成消息认证码;An EEPROM memory with SHA-1, configured to store a serial number and a key of the encrypted network card, and generate a message authentication code according to the serial number, the key, and the user-defined data;

CPLD,用于生成随机数、并产生用来加密重要数据包的控制字;a CPLD for generating a random number and generating a control word for encrypting important data packets;

网络控制芯片,与所述带有SHA-1的EEPROM存储器和CPLD分别连接,用于控制以太网接口,所述网络控制芯片设有扩展的IIC接口、GPIO和PCIe接口。所述网络控制芯片为intel 82574芯片也可以是其它满足功能要求的网络控制芯片;The network control chip is respectively connected to the EEPROM memory with the SHA-1 and the CPLD for controlling the Ethernet interface, and the network control chip is provided with an extended IIC interface, a GPIO and a PCIe interface. The network control chip is intel The 82574 chip can also be other network control chips that meet the functional requirements;

所述加密交换机包括:SHA-1协处理器,用于存储加密交换机的序列号、密钥,生成随机数,并根据所述序列号、密钥和所述随机数生成消息认证码。The encryption switch includes: a SHA-1 coprocessor for storing a serial number and a key of the encryption switch, generating a random number, and generating a message authentication code according to the sequence number, the key, and the random number.

如图2所示,本发明所述的一种利用前述系统进行加密交换机对主机的认证的方法,包括以下步骤:As shown in FIG. 2, a method for performing authentication of a host by an encryption switch by using the foregoing system includes the following steps:

A:当加密交换机发现有新的主机与其网络接口相连时,发送自定义报文给主机,请求其提供加密网卡的序列号;A: When the encryption switch discovers that a new host is connected to its network interface, it sends a custom message to the host, requesting it to provide the serial number of the encrypted network card;

B:主机通过网卡控制芯片与加密网卡上的带有SHA-1的EEPROM存储器通信,读取加密网卡的序列号发送给加密交换机;B: The host communicates with the EEPROM memory with SHA-1 on the encrypted network card through the network card control chip, and reads the serial number of the encrypted network card and sends it to the encryption switch;

C:加密交换机上的SHA-1协处理器生成随机数和质询报文发送给主机,并根据所述随机数、加密网卡的序列号和密钥生成验证消息认证码;C: The SHA-1 coprocessor on the encryption switch generates a random number and a challenge message and sends the message to the host, and generates a verification message authentication code according to the random number, the serial number of the encrypted network card, and the key;

D:主机收到质询报文后将其发送给加密网卡上的带有SHA-1的EEPROM存储器;D: After receiving the challenge message, the host sends it to the EEPROM memory with SHA-1 on the encrypted network card.

E:带有SHA-1的EEPROM存储器根据收到的随机数、加密网卡的序列号和密钥生成消息认证码;E: The EEPROM memory with SHA-1 generates a message authentication code according to the received random number, the serial number of the encrypted network card, and the key;

F:主机将加密网卡生成的消息认证码封装到响应报文中发送给加密交换机;F: The host encapsulates the message authentication code generated by the encrypted network card into a response message and sends the message to the encryption switch.

G:加密交换机将其生成的验证消息认证码与主机发送的消息认证码相比较,若二者一致,则为主机提供网络交换服务,否则将与主机相连的端口关闭。G: The encryption switch compares the authentication message authentication code generated by the encryption switch with the message authentication code sent by the host. If the two are consistent, the network exchange service is provided for the host. Otherwise, the port connected to the host is closed.

即使对于通过认证的主机,加密交换机也可以每隔一段时间(如几分钟)对其发起认证过程,若通过,继续为其提供服务,否则将其与网络中的其他部分隔离。Even for authenticated hosts, the cryptographic switch can initiate an authentication process for it at regular intervals (such as a few minutes), and if it does, continue to provide services to it, otherwise it is isolated from the rest of the network.

如图3所示,本发明所述的一种利用前述系统进行主机对加密交换机的认证的方法,包括以下步骤:As shown in FIG. 3, a method for authenticating a host to an encryption switch by using the foregoing system includes the following steps:

A1:主机检测到其与加密交换机建立连接后发送报文请求加密交换机提供网卡序列号,加密交换机与SHA-1协处理器通信,读取所述网卡序列号并发送给所述主机;A1: The host detects that it establishes a connection with the encryption switch, sends a message requesting the encryption switch to provide the network card serial number, the encryption switch communicates with the SHA-1 coprocessor, reads the network card serial number and sends the network card serial number to the host;

B1:CPLD生成随机数、带有SHA-1的EEPROM存储器读出网卡序列号,并将随机数和网卡序列号封装到质询报文发送给加密交换机;B1: The CPLD generates a random number, and the EEPROM memory with SHA-1 reads the serial number of the network card, and encapsulates the random number and the serial number of the network card into the challenge message and sends it to the encryption switch;

C1:主机将CPLD生成的随机数发送给带有SHA-1的EEPROM存储器,带有SHA-1的EEPROM存储器根据随机数、网卡序列号和密钥计算出验证消息认证码;C1: The host sends the random number generated by the CPLD to the EEPROM memory with SHA-1, and the EEPROM memory with SHA-1 calculates the verification message authentication code according to the random number, the network card serial number and the key;

D1:加密交换机将其接收的质询报文中的网卡序列号和随机数发送给SHA-1协处理器,SHA-1协处理器根据随机数、网卡序列号和密钥,计算出消息认证码;D1: The encryption switch sends the network card serial number and the random number in the challenge message received by the switch to the SHA-1 coprocessor, and the SHA-1 coprocessor calculates the message authentication code according to the random number, the network card serial number and the key. ;

E1:加密交换机将计算出的消息认证码封装到响应报文中发送给主机;E1: The encryption switch encapsulates the calculated message authentication code into the response message and sends the message to the host.

F1:主机将其接收的消息认证码以及所述验证消息认证码发送给CPLD进行比较,若二者一致,则使用加密交换机提供网络交换服务,否则CPLD将关闭本网卡的网络连接。F1: The host sends the received message authentication code and the verification message authentication code to the CPLD for comparison. If the two are consistent, the encryption switch is used to provide the network switching service. Otherwise, the CPLD will close the network connection of the network card.

如图4所示,本发明所述的一种利用前述系统进行加密网卡驱动器与加密网卡之间的相互认证的方法,包括以下步骤:As shown in FIG. 4, a method for performing mutual authentication between an encrypted network card driver and an encrypted network card by using the foregoing system includes the following steps:

A2:在主机的PCI插槽或USB接口插入包括SHA-1 Coprocessor的USB KEY;A2: Insert a USB KEY including a SHA-1 Coprocessor in the PCI slot or USB interface of the host;

B2:加密网卡驱动器向加密网卡发出读取其序列号的请求,并读取序列号发送给USB KEY;B2: the encrypted network card driver sends a request to read the serial number to the encrypted network card, and reads the serial number and sends it to the USB KEY;

C2:加密网卡驱动器请求USB KEY 产生随机数,并读取该随机数发送给加密网卡;C2: the encrypted network card driver requests the USB KEY to generate a random number, and reads the random number to send to the encrypted network card;

D2:带有SHA-1的EEPROM存储器根据密钥、所述随机数和加密网卡的序列号生成消息认证码并被加密网卡驱动器读回;D2: The EEPROM memory with SHA-1 generates a message authentication code according to the key, the random number and the serial number of the encrypted network card, and is read back by the encrypted network card driver;

E2:USB KEY 根据密钥、随机数和加密网卡的序列号生成验证消息认证码并被加密网卡驱动器读回;E2: The USB KEY generates a verification message authentication code according to the key, the random number and the serial number of the encrypted network card, and is read back by the encrypted network card driver;

F2:加密网卡驱动器将所述消息认证码与所述验证消息认证码进行比较,若二者一致,则继续使用该网络连接,否则,停止使用该网络连接。F2: The encrypted network card driver compares the message authentication code with the verification message authentication code, and if the two are consistent, the network connection is continued to be used; otherwise, the network connection is stopped.

在主机内安装了加密网卡之后,必须安装合法的网卡驱动程序,用来实现认证过程和正确控制加密网卡,加密网卡才能正常工作,主机上运行的网卡驱动程序需要和安装的加密网卡进行互相认证,以保证对方是合法的正常的,才可以正常使用这个网络连接,否则加密网卡与普通的网卡驱动程序配合使用或者已经安装了正确的加密网卡驱动程序的主机却安装了普通的网卡都无法达到预期的安全效果,一旦发现这种情况应该立即禁止使用该网络连接。After the encrypted network card is installed in the host, a legal network card driver must be installed to implement the authentication process and properly control the encrypted network card. The encrypted network card can work normally. The network card driver running on the host needs to be authenticated with the installed encrypted network card. In order to ensure that the other party is legal and normal, the network connection can be used normally. Otherwise, the encrypted network card is used together with the ordinary network card driver or the host that has installed the correct encrypted network card driver has not installed the ordinary network card. The expected security effect, once found to be the case, should immediately ban the use of the network connection.

优选地,上述方法还包括:利用CPLD维护计时器监督加密网卡驱动器定时对加密网卡进行认证的步骤。如果计时器超时,证明主机软件非法或者运行不正常,CPLD自主将网卡的网络连接断开,这其实也是对于主机软件的认证过程。Preferably, the above method further comprises: using a CPLD maintenance timer to supervise the step of authenticating the encrypted network card by the encrypted network card driver timing. If the timer expires and the host software is illegal or does not function properly, the CPLD will disconnect the network connection of the network card. This is actually the authentication process for the host software.

如图5所示,本发明所述的一种利用前述系统对数据报文的进行加解密的方法,包括以下步骤:As shown in FIG. 5, a method for encrypting and decrypting a data message by using the foregoing system includes the following steps:

A3:加密交换机对主机进行认证后,加密网卡上的带有SHA-1的EEPROM存储器生成消息认证码;A3: After the encryption switch authenticates the host, the EEPROM memory with SHA-1 on the encrypted network card generates a message authentication code;

B3:加密网卡上的CPLD将该消息认证码转化为控制字,加密网卡利用该控制字对数据报文进行加解密;B3: The CPLD on the encrypted network card converts the message authentication code into a control word, and the encrypted network card uses the control word to encrypt and decrypt the data message;

C3:加密交换机使用与CPLD同样的算法产生同样的控制字对主机的数据报文进行加解密。C3: The encryption switch uses the same algorithm as the CPLD to generate the same control word to encrypt and decrypt the data packets of the host.

由于每经过一次加密交换机对主机的重新认证过程,消息认证码的值都会改变,控制字的值也随之改变,加上每个主机的网卡都有全球唯一的序列号,从而保证了加密控制字随不同主机不同时间的改变而改变,即使网络遭到监听,也很难将报文密钥及加密机制完整破译。Because each time the encryption switch re-authenticates the host, the value of the message authentication code changes, and the value of the control word changes. The network card of each host has a global unique serial number, thus ensuring encryption control. Words change with different hosts at different times. Even if the network is monitored, it is difficult to completely decipher the message key and encryption mechanism.

使用软件的方法加解密,耗费大量CPU处理能力和内存资源,降低主机和加密交换机的处理能力和网络吞吐能力,所以建议只采用此方法对关键数据报文进行加密。如果要对全部报文进行加密,更有效的方法是采用硬件加速方案,这样做要采用FPGA或专门的硬件加速芯片,大大增加成本。The method of software encryption and decryption consumes a lot of CPU processing power and memory resources, and reduces the processing power and network throughput of the host and the encryption switch. Therefore, it is recommended to use only this method to encrypt key data packets. If you want to encrypt all the messages, a more effective method is to use hardware acceleration scheme, which uses FPGA or special hardware acceleration chip, which greatly increases the cost.

工业实用性Industrial applicability

本发明提供一种以太网加密认证系统及加密认证方法,该方案能够确保加密网络的实时可用性;提高系统的安全性能,使系统不易被破解或监听;降低以太网加密认证的成本,具有工业实用性。The invention provides an Ethernet encryption authentication system and an encryption authentication method, which can ensure real-time availability of an encrypted network; improve system security performance, make the system difficult to be cracked or monitored; reduce the cost of Ethernet encryption authentication, and have industrial practicality Sex.

Claims (1)

权利要求书:Claims: 1、一种以太网加密认证系统,其特征在于,包括加密交换机以及安装于客户端主机的加密网卡;所述加密网卡包括:An Ethernet encryption authentication system, comprising: an encryption switch and an encryption network card installed on the client host; the encryption network card includes: 带有SHA-1的EEPROM存储器,用于存储加密网卡的序列号、密钥,并根据所述序列号、密钥和用户自定义数据生成消息认证码;An EEPROM memory with SHA-1, configured to store a serial number and a key of the encrypted network card, and generate a message authentication code according to the serial number, the key, and the user-defined data; CPLD,用于生成随机数、并产生用来加密重要数据包的控制字;a CPLD for generating a random number and generating a control word for encrypting important data packets; 网络控制芯片,与所述带有SHA-1的EEPROM存储器和CPLD分别连接,用于控制以太网接口;a network control chip respectively connected to the EEPROM memory with SHA-1 and a CPLD for controlling an Ethernet interface; 所述加密交换机包括:SHA-1协处理器,用于存储加密交换机的序列号、密钥,生成随机数,并根据所述序列号、密钥和所述随机数生成消息认证码。The encryption switch includes: a SHA-1 coprocessor for storing a serial number and a key of the encryption switch, generating a random number, and generating a message authentication code according to the sequence number, the key, and the random number. 2、如权利要求1所述的以太网加密认证系统,其特征在于,所述网络控制芯片设有扩展的IIC接口、GPIO和PCIe接口。2. The Ethernet encryption authentication system of claim 1, wherein the network control chip is provided with an extended IIC interface, a GPIO, and a PCIe interface. 3、如权利要求1或2所述的以太网加密认证系统,其特征在于,所述网络控制芯片为intel 82574芯片。The Ethernet encryption authentication system according to claim 1 or 2, wherein the network control chip is intel 82574 chip. 4、一种利用权利要求1-3中任一项所述系统进行加密交换机对主机的认证的方法,其特征在于,包括以下步骤:A method for authenticating a host by an encryption switch using the system according to any one of claims 1 to 3, characterized in that it comprises the following steps: A:当加密交换机发现有新的主机与其网络接口相连时,发送自定义报文给主机,请求其提供加密网卡的序列号;A: When the encryption switch discovers that a new host is connected to its network interface, it sends a custom message to the host, requesting it to provide the serial number of the encrypted network card; B:主机通过网卡控制芯片与加密网卡上的带有SHA-1的EEPROM存储器通信,读取加密网卡的序列号发送给加密交换机;B: The host communicates with the EEPROM memory with SHA-1 on the encrypted network card through the network card control chip, and reads the serial number of the encrypted network card and sends it to the encryption switch; C:加密交换机上的SHA-1协处理器生成随机数和质询报文发送给主机,并根据所述随机数、加密网卡的序列号和密钥生成验证消息认证码;C: The SHA-1 coprocessor on the encryption switch generates a random number and a challenge message and sends the message to the host, and generates a verification message authentication code according to the random number, the serial number of the encrypted network card, and the key; D:主机收到质询报文后将其发送给加密网卡上的带有SHA-1的EEPROM存储器;D: After receiving the challenge message, the host sends it to the EEPROM memory with SHA-1 on the encrypted network card. E:带有SHA-1的EEPROM存储器根据收到的随机数、加密网卡的序列号和密钥生成消息认证码;E: The EEPROM memory with SHA-1 generates a message authentication code according to the received random number, the serial number of the encrypted network card, and the key; F:主机将加密网卡生成的消息认证码封装到响应报文中发送给加密交换 F: The host encapsulates the message authentication code generated by the encrypted network card into a response message and sends it to the encryption exchange. 机;machine; G:加密交换机将其生成的验证消息认证码与主机发送的消息认证码相比较,若二者一致,则为主机提供网络交换服务,否则将与主机相连的端口关闭。G: The encryption switch compares the authentication message authentication code generated by the encryption switch with the message authentication code sent by the host. If the two are consistent, the network exchange service is provided for the host. Otherwise, the port connected to the host is closed. 5、一种利用权利要求1-3中任一项所述系统进行主机对加密交换机的认证的方法,其特征在于,包括以下步骤:A method for authenticating a host-to-encryption switch using the system of any one of claims 1-3, comprising the steps of: A1:主机检测到其与加密交换机建立连接后发送报文请求加密交换机提供网卡序列号,加密交换机与SHA-1协处理器通信,读取所述网卡序列号并发送给所述主机;A1: The host detects that it establishes a connection with the encryption switch, sends a message requesting the encryption switch to provide the network card serial number, the encryption switch communicates with the SHA-1 coprocessor, reads the network card serial number and sends the network card serial number to the host; B1:CPLD生成随机数、带有SHA-1的EEPROM存储器读出网卡序列号,并将随机数和网卡序列号封装到质询报文发送给加密交换机;B1: The CPLD generates a random number, and the EEPROM memory with SHA-1 reads the serial number of the network card, and encapsulates the random number and the serial number of the network card into the challenge message and sends it to the encryption switch; C1:主机将CPLD生成的随机数发送给带有SHA-1的EEPROM存储器,带有SHA-1的EEPROM存储器根据随机数、网卡序列号和密钥计算出验证消息认证码;C1: The host sends the random number generated by the CPLD to the EEPROM memory with SHA-1, and the EEPROM memory with SHA-1 calculates the verification message authentication code according to the random number, the network card serial number and the key; D1:加密交换机将其接收的质询报文中的网卡序列号和随机数发送给SHA-1协处理器,SHA-1协处理器根据随机数、网卡序列号和密钥,计算出消息认证码;D1: The encryption switch sends the network card serial number and the random number in the challenge message received by the switch to the SHA-1 coprocessor, and the SHA-1 coprocessor calculates the message authentication code according to the random number, the network card serial number and the key. ; E1:加密交换机将计算出的消息认证码封装到响应报文中发送给主机;E1: The encryption switch encapsulates the calculated message authentication code into the response message and sends the message to the host. F1:主机将其接收的消息认证码以及所述验证消息认证码发送给CPLD进行比较,若二者一致,则使用加密交换机提供网络交换服务,否则CPLD将关闭本网卡的网络连接。F1: The host sends the received message authentication code and the verification message authentication code to the CPLD for comparison. If the two are consistent, the encryption switch is used to provide the network switching service. Otherwise, the CPLD will close the network connection of the network card. 6、一种利用权利要求1-3中任一项所述系统进行加密网卡驱动器与加密网卡之间的相互认证的方法,其特征在于,包括以下步骤:A method for mutual authentication between an encrypted network card driver and an encrypted network card by using the system of any one of claims 1 to 3, characterized in that it comprises the following steps: A2:在主机的PCI插槽或USB接口插入包括SHA-1 Coprocessor的USB KEY;A2: Insert a USB KEY including a SHA-1 Coprocessor in the PCI slot or USB interface of the host; B2:加密网卡驱动器向加密网卡发出读取其序列号的请求,并读取序列号发送给USB KEY;B2: the encrypted network card driver sends a request to read the serial number to the encrypted network card, and reads the serial number and sends it to the USB KEY; C2:加密网卡驱动器请求USB KEY 产生随机数,并读取该随机数发送 C2: The encrypted network card driver requests the USB KEY to generate a random number and reads the random number to send 给加密网卡;Give an encrypted network card; D2:带有SHA-1的EEPROM存储器根据密钥、所述随机数和加密网卡的序列号生成消息认证码并被加密网卡驱动器读回;D2: The EEPROM memory with SHA-1 generates a message authentication code according to the key, the random number and the serial number of the encrypted network card, and is read back by the encrypted network card driver; E2: USB KEY 根据密钥、随机数和加密网卡的序列号生成验证消息认证码并被加密网卡驱动器读回;E2: USB KEY Generating a verification message authentication code according to the key, the random number, and the serial number of the encrypted network card, and reading back by the encrypted network card driver; F2:加密网卡驱动器将所述消息认证码与所述验证消息认证码进行比较,若二者一致,则继续使用该网络连接,否则,停止使用该网络连接。F2: The encrypted network card driver compares the message authentication code with the verification message authentication code, and if the two are consistent, the network connection is continued to be used; otherwise, the network connection is stopped. 7、如权利要求6所述的进行加密网卡驱动器与加密网卡之间的相互认证的方法,其特征在于,还包括:利用CPLD维护计时器监督加密网卡驱动器定时对加密网卡进行认证的步骤。7. The method of performing mutual authentication between an encrypted network card driver and an encrypted network card according to claim 6, further comprising the step of: using a CPLD maintenance timer to supervise the authentication of the encrypted network card by the encrypted network card driver. 8、一种利用权利要求1-3中任一项所述系统对数据报文的进行加解密的方法,其特征在于,包括以下步骤:A method for encrypting and decrypting a data message by using the system according to any one of claims 1 to 3, characterized in that it comprises the following steps: A3:加密交换机对主机进行认证后,加密网卡上的带有SHA-1的EEPROM存储器生成消息认证码;A3: After the encryption switch authenticates the host, the EEPROM memory with SHA-1 on the encrypted network card generates a message authentication code; B3:加密网卡上的CPLD将该消息认证码转化为控制字,加密网卡利用该控制字对数据报文进行加解密;B3: The CPLD on the encrypted network card converts the message authentication code into a control word, and the encrypted network card uses the control word to encrypt and decrypt the data message; C3:加密交换机使用与CPLD同样的算法产生同样的控制字对主机的数据报文进行加解密。C3: The encryption switch uses the same algorithm as the CPLD to generate the same control word to encrypt and decrypt the data packets of the host.
PCT/CN2011/084741 2011-12-16 2011-12-27 Ethernet encryption and authentication system and method Ceased WO2013086758A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110425336.9 2011-12-16
CN201110425336.9A CN102571348B (en) 2011-12-16 2011-12-16 Ethernet encryption authentication system and encryption authentication method

Publications (1)

Publication Number Publication Date
WO2013086758A1 true WO2013086758A1 (en) 2013-06-20

Family

ID=46415889

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/084741 Ceased WO2013086758A1 (en) 2011-12-16 2011-12-27 Ethernet encryption and authentication system and method

Country Status (2)

Country Link
CN (1) CN102571348B (en)
WO (1) WO2013086758A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105471861A (en) * 2015-11-19 2016-04-06 上海应用技术学院 Dynamic message packaging method and dynamic tunnel construction method
CN105721458A (en) * 2016-01-30 2016-06-29 安徽欧迈特数字技术有限责任公司 Industrial Ethernet switching method based on ISG security password technique
CN111294211A (en) * 2020-02-13 2020-06-16 山东方寸微电子科技有限公司 USB network card data encryption and decryption method based on RNDIS
CN111541663A (en) * 2020-04-14 2020-08-14 北京数盾信息科技有限公司 Link exchange encryption system based on national password standard
CN117714031A (en) * 2024-01-11 2024-03-15 无锡路通视信网络股份有限公司 High-speed data encryption communication method

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103714296B (en) * 2012-09-29 2016-12-21 西安诺瓦电子科技有限公司 A kind of method realizing display screen control system and computer binding by AES
CN103903022B (en) * 2012-12-28 2017-06-20 北京握奇数据系统有限公司 It is a kind of support more cover personal data application of IC cards realization method and system
CN103401697B (en) * 2013-07-01 2017-02-01 华为技术有限公司 Method and device for controlling equipment interface remotely
CN105791296A (en) * 2016-03-08 2016-07-20 浪潮集团有限公司 A method for fast scrambling and descrambling of network messages
CN106295374B (en) * 2016-08-23 2019-07-09 记忆科技(深圳)有限公司 A kind of encryption Hub device for supporting multiple UFS equipment
CN107689961A (en) * 2017-09-14 2018-02-13 长沙开雅电子科技有限公司 A kind of switch ports themselves certification access-in management device
CN110417706B (en) * 2018-04-27 2022-05-31 中泓慧联技术有限公司 Switch-based secure communication method
CN109450931A (en) * 2018-12-14 2019-03-08 北京知道创宇信息技术有限公司 A kind of secure internet connection method, apparatus and PnP device
CN115412917A (en) * 2022-08-11 2022-11-29 浪潮思科网络科技有限公司 Data processing method, device, equipment and medium of a switch
CN116155480A (en) * 2023-02-06 2023-05-23 医渡云(北京)技术有限公司 Remote monitoring method and device, electronic equipment, and storage medium for clinical trials

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020166070A1 (en) * 2001-05-04 2002-11-07 Avraham Mualem Method and apparatus to reduce errors of a security association
WO2005052754A2 (en) * 2003-11-21 2005-06-09 Finisar Corporation Secure network access devices with data encryption
WO2006036320A2 (en) * 2004-08-25 2006-04-06 Harris Corporation System and method for creating a security application for programmable cryptography module
CN101087230A (en) * 2006-06-05 2007-12-12 株式会社日立制作所 Adaptor and ic card for encrypted communication on network

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101291244B (en) * 2007-04-16 2011-07-20 深圳市维信联合科技有限公司 Network security management method and system thereof
CN101179376A (en) * 2007-12-05 2008-05-14 龙刚 Method of implementing LAN information safety and method based safe network card and network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020166070A1 (en) * 2001-05-04 2002-11-07 Avraham Mualem Method and apparatus to reduce errors of a security association
WO2005052754A2 (en) * 2003-11-21 2005-06-09 Finisar Corporation Secure network access devices with data encryption
WO2006036320A2 (en) * 2004-08-25 2006-04-06 Harris Corporation System and method for creating a security application for programmable cryptography module
CN101087230A (en) * 2006-06-05 2007-12-12 株式会社日立制作所 Adaptor and ic card for encrypted communication on network

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105471861A (en) * 2015-11-19 2016-04-06 上海应用技术学院 Dynamic message packaging method and dynamic tunnel construction method
CN105471861B (en) * 2015-11-19 2018-08-07 上海应用技术学院 Message dynamic encapsulation method and dynamic tunnel construction method
CN105721458A (en) * 2016-01-30 2016-06-29 安徽欧迈特数字技术有限责任公司 Industrial Ethernet switching method based on ISG security password technique
CN111294211A (en) * 2020-02-13 2020-06-16 山东方寸微电子科技有限公司 USB network card data encryption and decryption method based on RNDIS
CN111541663A (en) * 2020-04-14 2020-08-14 北京数盾信息科技有限公司 Link exchange encryption system based on national password standard
CN117714031A (en) * 2024-01-11 2024-03-15 无锡路通视信网络股份有限公司 High-speed data encryption communication method
CN117714031B (en) * 2024-01-11 2024-06-04 无锡路通视信网络股份有限公司 High-speed data encryption communication method

Also Published As

Publication number Publication date
CN102571348A (en) 2012-07-11
CN102571348B (en) 2014-09-24

Similar Documents

Publication Publication Date Title
WO2013086758A1 (en) Ethernet encryption and authentication system and method
JP5815294B2 (en) Secure field programmable gate array (FPGA) architecture
WO2014044065A1 (en) Method and system for securely accessing portable hotspot of smart phones
WO2020147383A1 (en) Process examination and approval method, device and system employing blockchain system, and non-volatile storage medium
JP2008533882A (en) How to backup and restore encryption keys
WO2014069783A1 (en) Password-based authentication method, and apparatus for performing same
WO2014139344A1 (en) Key download method, management method, download management method and device, and system
WO2019088689A1 (en) Puf-qrng quantum cryptographic security terminal system and cryptographic key generation method
WO2020050424A1 (en) BLOCK CHAIN-BASED SYSTEM AND METHOD FOR MULTIPLE SECURITY AUTHENTICATION BETWEEN MOBILE TERMINAL AND IoT DEVICE
WO2020186775A1 (en) Service data providing method, apparatus and device, and computer-readable storage medium
CN107113171A (en) Safe communication system, method and device
WO2012048493A1 (en) Method and apparatus for protecting software of mobile terminal
WO2012149717A1 (en) License dynamic management method, device and system based on tcm or tpm
WO2016206530A1 (en) Highly secure mobile payment method, apparatus, and system
WO2018145357A1 (en) Email encryption method and system
JP7586355B2 (en) Cryptographic communication system, secure element, device, and cryptographic communication method
WO2023211121A1 (en) System for controlling file transmission and reception of application on basis of proxy, and method therefor
WO2018098886A1 (en) Method for opening vehicle door, mobile terminal, vehicle-mounted terminal, and system
WO2022211436A1 (en) Methods, access point device and station device for closed wi-fi hotspot network
WO2020067734A1 (en) Non-address network equipment and communication security system using same
KR102539418B1 (en) Apparatus and method for mutual authentication based on physical unclonable function
WO2016090990A1 (en) Method and system for descrambling scrambled transport stream
GB2579884A (en) Methods and systems of securely transferring data
KR101754519B1 (en) Keyboard secure system and method for protecting data input via keyboard using one time key
WO2023054857A1 (en) Device inside network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11877326

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11877326

Country of ref document: EP

Kind code of ref document: A1